- Knowledge Base
- Amazon Web Services
- Elastic Load Balancing
- ELB Security Group
Ensure that your Amazon Classic Load Balancers (CLBs) are configured with one or more secure and valid EC2 security groups in order to maintain the load balancing process healthy.
This rule can help you with the following compliance standards:
- PCI
- APRA
- MAS
- NIST4
For further details on compliance standards supported by Conformity, see here.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
When your Classic Load Balancer is using misconfigured or invalid security groups, the load balancer stops working as expected. If the load balancer is configured with missing security groups or is using security groups that grant access to ports that are not defined in the listener configuration, the risk of unauthorized access increases.
Audit
Case A: To identify Classic Load Balancers that are referencing invalid (deleted) security groups, perform the following actions:
Using AWS Console
01 Sign in to the AWS Management Console.
02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/v2/.
03 In the main navigation panel, under Load Balancing, choose Load Balancers.
04 Click inside the Filter by tags and attributes or search by keyword box, select Type and choose classic to list the Classic Load Balancers available in the current AWS region.
05 Select the Amazon Classic Load Balancer that you want to examine.
06 Choose the Description tab from the console bottom panel to view the configuration information available for the selected load balancer.
07 In the Security section, copy the ID of each security group associated with the selected load balancer, listed next to Source Security Group.
08 In the main navigation panel, under Network & Security, choose Security Groups.
09 Paste the name of each security group copied at step no. 6 in the Filter security groups search box and press Enter. If no results are returned, the associated security group is no longer available, therefore the selected Amazon Classic Load Balancer is configured with a missing security group.
10 Repeat steps no. 5 – 9 for each Classic Load Balancer deployed within the selected AWS region.
11 Change the AWS cloud region from the console navigation bar and repeat the Audit process for other regions.
Using AWS CLI
01 Run describe-load-balancers command (OSX/Linux/UNIX) with custom query filters to list the name of each Classic Load Balancer available in the selected AWS region:
aws elb describe-load-balancers --region us-east-1 --output table --query 'LoadBalancerDescriptions[*].LoadBalancerName'
02 The command output should return a table with the requested load balancer names:
------------------------------- | DescribeLoadBalancers | +-----------------------------+ | cc-web-prod-load-balancer | | cc-frontend-load-balancer | +-----------------------------+
03 Run describe-load-balancers command (OSX/Linux/UNIX) using the name of the Classic Load Balancer that you want to examine as the identifier parameter and custom query filters to describe the name(s) of the security group(s) associated with the selected ELB resource:
aws elb describe-load-balancers --region us-east-1 --load-balancer-name cc-web-prod-load-balancer --query 'LoadBalancerDescriptions[*].SourceSecurityGroup.GroupName'
04 The command output should return the name(s) of the requested security group ID(s):
[ "cc-elb-security-group" ]
05 Run describe-security-groups command (OSX/Linux/UNIX) using the name of the security group returned at the previous step as the identifier parameter, to describe the configuration information available for the specified resource:
aws ec2 describe-security-groups --region us-east-1 --group-names cc-elb-security-group
06 The command output should return the requested configuration information if the security group is still available or an error message otherwise:
An error occurred (InvalidGroup.NotFound) when calling the DescribeSecurityGroups operation: The security group 'cc-elb-security-group' does not exist in default VPC 'vpc-0abcd1234abcd1234'
If the describe-security-groups command output returns an InvalidGroup.NotFound error, as shown in the output example above, the specified security group is no longer available, therefore the selected Amazon Classic Load Balancer is configured with a missing security group.
07 Repeat steps no. 3 – 6 for each Classic Load Balancer available in the selected AWS region.
08 Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other regions.
Case B: To identify Classic Load Balancers associated with misconfigured and insecure security groups, perform the following actions:
Using AWS Console
01 Sign in to the AWS Management Console.
02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/v2/.
03 In the main navigation panel, under Load Balancing, choose Load Balancers.
04 Click inside the Filter by tags and attributes or search by keyword box, select Type and choose classic to list the Classic Load Balancers available in the current AWS region.
05 Select the Amazon Classic Load Balancer that you want to examine.
06 Choose the Listeners tab from the console bottom panel to view the configuration (i.e. protocol, port, etc.) of the listener(s) defined for the selected load balancer:
07 Choose the Description tab from the console bottom panel to view the general configuration information available for the selected ELB resource.
08 In the Security section, click on the ID (link) of each security group associated with the selected load balancer, listed next to Source Security Group.
09 Select the Inbound rules tab and check the configuration of each inbound/ingress rule listed in the Inbound rules section. If the associated security group is not configured to match the configuration of the listener(s) defined for the load balancer, identified at step no. 6, the selected Amazon Classic Load Balancer is associated with a misconfigured and potentially insecure security group.
10 Repeat steps no. 5 – 9 for each Classic Load Balancer available within the selected AWS region.
11 Change the AWS cloud region from the console navigation bar and repeat the Audit process for other regions.
Using AWS CLI
01 Run describe-load-balancers command (OSX/Linux/UNIX) with custom query filters to list the name of each Classic Load Balancer available in the selected AWS region:
aws elb describe-load-balancers --region us-east-1 --output table --query 'LoadBalancerDescriptions[*].LoadBalancerName'
02 The command output should return a table with the requested load balancer names:
------------------------------- | DescribeLoadBalancers | +-----------------------------+ | cc-web-prod-load-balancer | | cc-frontend-load-balancer | +-----------------------------+
03 Run describe-load-balancers command (OSX/Linux/UNIX) using the name of the Classic Load Balancer that you want to examine as the identifier parameter and custom query filters to describe the configuration of the listener(s) defined for the selected load balancer:
aws elb describe-load-balancers --region us-east-1 --load-balancer-name cc-web-prod-load-balancer --query 'LoadBalancerDescriptions[*].ListenerDescriptions[].Listener'
04 The command output should return the requested configuration information:
[ { "Protocol": "HTTP", "LoadBalancerPort": 80, "InstanceProtocol": "HTTP", "InstancePort": 80 } ]
05 Run describe-load-balancers command (OSX/Linux/UNIX) using the name of the load balancer that you want to examine as the identifier parameter and custom query filters to describe the name(s) of the security group(s) associated with the selected ELB resource:
aws elb describe-load-balancers --region us-east-1 --load-balancer-name cc-web-prod-load-balancer --query 'LoadBalancerDescriptions[*].SourceSecurityGroup.GroupName'
06 The command output should return the name(s) of the requested security group ID(s):
[ "cc-elb-security-group" ]
07 Run describe-security-groups command (OSX/Linux/UNIX) using the name of the security group returned at the previous step as the identifier parameter, to describe the inbound/ingress rule(s) defined for the selected resource:
aws ec2 describe-security-groups --region us-east-1 --group-names cc-elb-security-group --query 'SecurityGroups[*].IpPermissions[]'
08 The command output should return the requested configuration information:
[ { "IpProtocol": "-1", "IpRanges": [ { "CidrIp": "0.0.0.0/0" } ], "Ipv6Ranges": [], "PrefixListIds": [], "UserIdGroupPairs": [] } ]
09 Compare the load balancer listener(s) configuration returned at step no. 4 with the security group inbound configuration returned at step no. 8. If the associated security group is not configured to match the configuration of the listener(s) defined for the load balancer, the selected Amazon Classic Load Balancer is associated with a misconfigured and potentially insecure security group.
10 Repeat steps no. 3 – 9 for each Classic Load Balancer available in the selected AWS region.
11 Change the AWS cloud region by updating the --region command parameter value and repeat the Audit process for other regions.
Remediation / Resolution
Using AWS CloudFormation
01 CloudFormation template (JSON):
{ "AWSTemplateFormatVersion": "2010-09-09", "Resources": { "ELBSecurityGroup": { "Type": "AWS::EC2::SecurityGroup", "Properties": { "GroupName": "cc-new-elb-security-group", "GroupDescription": "Security Group for Classic Load Balancer", "VpcId": "vpc-0abcd1234abcd1234", "SecurityGroupIngress": [ { "Description": "Allow inbound HTTP traffic", "IpProtocol": "tcp", "FromPort": 80, "ToPort": 80, "CidrIp": "0.0.0.0/0" } ], "SecurityGroupEgress": [ { "Description": "Allow all outbound traffic", "IpProtocol": "-1", "FromPort": 0, "ToPort": 65535, "CidrIp": "0.0.0.0/0" } ] } }, "ClassicLoadBalancer": { "Type": "AWS::ElasticLoadBalancing::LoadBalancer", "Properties": { "LoadBalancerName": "cc-web-prod-load-balancer", "Scheme": "internet-facing", "Subnets": [ "subnet-01234abcd1234abcd", "subnet-0abcd1234abcd1234" ], "Instances": [ "i-0abcd1234abcd1234", "i-01234abcd1234abcd" ], "Listeners": [ { "InstancePort": "80", "InstanceProtocol": "HTTP", "LoadBalancerPort": "80", "Protocol": "HTTP", "PolicyNames": [] } ], "SecurityGroups": [ { "Ref": "ELBSecurityGroup" } ] } } } }
02 CloudFormation template (YAML):
AWSTemplateFormatVersion: '2010-09-09' Resources: ELBSecurityGroup: Type: AWS::EC2::SecurityGroup Properties: GroupName: cc-new-elb-security-group GroupDescription: Security Group for Classic Load Balancer VpcId: vpc-0abcd1234abcd1234 SecurityGroupIngress: - Description: Allow inbound HTTP traffic IpProtocol: tcp FromPort: 80 ToPort: 80 CidrIp: '0.0.0.0/0' SecurityGroupEgress: - Description: Allow all outbound traffic IpProtocol: '-1' FromPort: 0 ToPort: 65535 CidrIp: '0.0.0.0/0' ClassicLoadBalancer: Type: AWS::ElasticLoadBalancing::LoadBalancer Properties: LoadBalancerName: cc-web-prod-load-balancer Scheme: internet-facing Subnets: - subnet-01234abcd1234abcd - subnet-0abcd1234abcd1234 Instances: - i-0abcd1234abcd1234 - i-01234abcd1234abcd Listeners: - InstancePort: '80' InstanceProtocol: HTTP LoadBalancerPort: '80' Protocol: HTTP PolicyNames: [] SecurityGroups: - !Ref 'ELBSecurityGroup'
Using Terraform (AWS Provider)
01 Terraform configuration file (.tf):
terraform { required_providers { aws = { source = "hashicorp/aws" version = "~> 4.0" } } required_version = ">= 0.14.9" } provider "aws" { profile = "default" region = "us-east-1" } resource "aws_security_group" "elb-security-group" { name = "cc-new-elb-security-group" description = "Security Group for Classic Load Balancer" vpc_id = "vpc-0abcd1234abcd1234" ingress { description = "Allow inbound HTTP traffic" from_port = 80 to_port = 80 protocol = "tcp" cidr_blocks = ["0.0.0.0/0"] } egress { description = "Allow all outbound traffic" from_port = 0 to_port = 0 protocol = "-1" cidr_blocks = ["0.0.0.0/0"] } } resource "aws_elb" "aws-load-balancer" { name = "cc-web-prod-load-balancer" instances = ["i-0abcd1234abcd1234", "i-01234abcd1234abcd"] subnets = ["subnet-01234abcd1234abcd", "subnet-0abcd1234abcd1234"] internal = false listener { instance_port = 80 instance_protocol = "http" lb_port = 80 lb_protocol = "http" } security_groups = [aws_security_group.elb-security-group.id]
Case A: To remediate misconfigured Classic Load Balancer (CLBs) that are missing security groups, perform the following actions:
Using AWS Console
01 Sign in to the AWS Management Console.
02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/v2/.
03 In the navigation panel, under Network & Security, choose Security Groups.
04 To replace the missing security group with a new one and attach it to your load balancer, you must create and configure a new Amazon EC2 security group. To create the compliant security group, choose Create security group from the console top menu to initiate the setup process.
05 On the Create security group setup page, provide the following information:
06 For Security group name, provide a unique name for your new security group.
- For Description, provide a short description that reflects the security group usage.
- Choose the appropriate VPC network from the VPC dropdown list.
- In the Inbound rules section, use the Add rule button to add the required inbound/ingress rules. The inbound rules configuration must match the load balancer listeners configuration, for example:
- Select HTTPfrom the Type dropdown list to create an inbound rule for the TCP port 80.
- Select Anywhere-IPv4 from the Source dropdown list to allow public Internet access.
- Provide a short description for the new inbound rule in the Description – optional box.
- In the Tags – optional section, use the Add new tag button to apply any necessary tags.
- Choose Create security group to create your new security group for your load balancer.
07 In the main navigation panel, under Load Balancing, choose Load Balancers.
08 Click inside the Filter by tags and attributes or search by keyword box, select Type and choose classic to list the Classic Load Balancers available in the current AWS region.
09 Select the Amazon Classic Load Balancer that you want to reconfigure.
10 Choose the Description tab from the console bottom panel to view the configuration information available for the selected load balancer.
11 In the Securitysection, choose Edit security groups next to Source Security Group.
12 In the Edit security groups configuration box, perform the following operations:
- To remove the missing security group attached to the load balancer, deselect the security group entry.
- To add a new security group available in the list, select the security group entry. Choose the security group created earlier in the Remediation process for your load balancer.
- Choose Save to apply the changes.
13 Repeat steps no. 4 – 12 for each Classic Load Balancer that you want to reconfigure, available within the current AWS region.
14 Change the AWS cloud region from the navigation bar and repeat the Remediation process for other regions.
Using AWS CLI
01 Run create-security-group command (OSX/Linux/UNIX) to re-create the missing security group required by your Classic Load Balancer. Make sure that the new security group and the selected load balancer share the same VPC network:
aws ec2 create-security-group --region us-east-1 --group-name cc-new-elb-security-group --description "Security Group for Classic Load Balancer" --vpc-id vpc-0abcd1234abcd1234
02 The command output should return the ID of the new security group:
{ "GroupId": "sg-01234abcd1234abcd" }
03 Run authorize-security-group-ingress command (OSX/Linux/UNIX) using the ID of the security group returned at the previous step as the identifier parameter, to create the necessary inbound rule, based on your application requirements:
aws ec2 authorize-security-group-ingress --region us-east-1 --group-id sg-01234abcd1234abcd --protocol tcp --port 80 --cidr 0.0.0.0/0
04 The command output should return the metadata available for the inbound rule:
{ "Return": true, "SecurityGroupRules": [ { "SecurityGroupRuleId": "sgr-01234abcd1234abcd", "GroupId": "sg-01234abcd1234abcd", "GroupOwnerId": "123456789012", "IsEgress": false, "IpProtocol": "tcp", "FromPort": 80, "ToPort": 80, "CidrIpv4": "0.0.0.0/0" } ] }
05 Run authorize-security-group-egress command (OSX/Linux/UNIX) using the ID of the newly created security group as the identifier parameter to configure the necessary outbound rule, based on your application requirements:
aws ec2 authorize-security-group-egress --region us-east-1 --group-id sg-01234abcd1234abcd --ip-permissions '[{"IpProtocol": "tcp", "FromPort": 80, "ToPort": 80, "IpRanges": [{"CidrIp": "0.0.0.0/0"}]}]'
06 The command output should return the metadata available for the outbound rule:
{ "Return": true, "SecurityGroupRules": [ { "SecurityGroupRuleId": "sgr-01234abcd1234abcd", "GroupId": "sg-01234abcd1234abcd", "GroupOwnerId": "123456789012", "IsEgress": true, "IpProtocol": "tcp", "FromPort": 80, "ToPort": 80, "CidrIpv4": "0.0.0.0/0" } ] }
07 Run apply-security-groups-to-load-balancer command (OSX/Linux/UNIX) using the name of the Classic Load Balancer that you want to reconfigure as the identifier parameter, to replace the missing security group with the new one, created and configured at the previous steps. Because the specified security groups override the previously associated security groups, ensure that you add any other required security groups to the --security-groups command parameter (the command does not produce an output):
aws elb apply-security-groups-to-load-balancer --region us-east-1 --load-balancer-name cc-web-prod-load-balancer --security-groups sg-01234abcd1234abcd
08 Repeat steps no. 1 – 7 for each Classic Load Balancer that you want to reconfigure, available in the selected AWS region.
09 Change the AWS cloud region by updating the --region command parameter value and perform the Remediation process for other regions.
Case B: To remediate misconfigured security groups associated with your Classic Load Balancers, perform the following actions:
Using AWS Console
01 Sign in to the AWS Management Console.
02 Navigate to Amazon EC2 console at https://console.aws.amazon.com/ec2/v2/.
03 In the main navigation panel, under Network & Security, choose Security Groups.
04 Select the security group that you want to reconfigure, associated with your Classic Load Balancer.
05 Select the Inbound rules tab from the console bottom panel and choose Edit inbound rules.
06 On the Edit inbound rules configuration page, perform the following operations:
- Identify all the misconfigured, non-compliant inbound rules defined for the selected security group and choose Delete to remove them.
- Use Add rule button to add and configure new, compliant inbound rules that match the listeners configuration defined for the associated load balancer. For example, to allow inbound access to your load balancer on TCP port 80 (HTTP) only, provide the following information:
- Select HTTPfrom the Type dropdown list to create an inbound rule for the TCP port 80.
- Select Anywhere-IPv4 from the Source dropdown list to allow public HTTP access.
- Provide a short description for the new inbound rule in the Description – optional box.
- Choose Save rules to apply the configuration changes.
07 Repeat steps no. 4 – 6 to reconfigure other security groups that are associated with your load balancer.
08 Repeat steps no. 4 – 7 for each Classic Load Balancer that you want to reconfigure, available within the current AWS region.
09 Change the AWS cloud region from the navigation bar and repeat the Remediation process for other regions.
Using AWS CLI
01 Run revoke-security-group-ingress command (OSX/Linux/UNIX) using the ID of the associated security group that you want to reconfigure as the identifier, to remove the misconfigured, non-compliant inbound rules from the selected security group:
aws ec2 revoke-security-group-ingress --region us-east-1 --group-id sg-01234abcd1234abcd --ip-permissions IpProtocol=-1,IpRanges=[{CidrIp="0.0.0.0/0"}],Ipv6Ranges=[{CidrIpv6="::/0"}] --query 'Return'
02 The command output should return true if the request succeeds. Otherwise, it should return an error:
true
03 Run authorize-security-group-ingress command (OSX/Linux/UNIX) to add a new, compliant inbound rule that match the listener configuration defined for the associated load balancer. For example, to allow inbound access to your load balancer on TCP port 80 (HTTP), run the following command:
aws ec2 authorize-security-group-ingress --region us-east-1 --group-id sg-01234abcd1234abcd --protocol tcp --port 80 --cidr 0.0.0.0/0
04 The command output should return the configuration information available for the new security group rule:
{ "Return": true, "SecurityGroupRules": [ { "SecurityGroupRuleId": "sgr-01234abcd1234abcd", "GroupId": "sg-01234abcd1234abcd", "GroupOwnerId": "123456789012", "IsEgress": false, "IpProtocol": "tcp", "FromPort": 80, "ToPort": 80, "CidrIpv4": "0.0.0.0/0" } ] }
05 Repeat steps no. 1 – 5 to reconfigure other security groups that are associated with your load balancer.
06 Repeat steps no. 1 – 5 for each Classic Load Balancer that you want to reconfigure, available in the selected AWS region.
07 Change the AWS cloud region by updating the --region command parameter value and perform the Remediation process for other regions.
References
- AWS Command Line Interface (CLI) Documentation
- describe-load-balancers
- describe-security-groups
- create-security-group
- authorize-security-group-ingress
- apply-security-groups-to-load-balancer
- revoke-security-group-ingress
- authorize-security-group-egress